Skip to main content
Glama

Export all search results to a file

sumo_export_results
Read-only

Stream Sumo Logic search results to a NDJSON file on disk for bulk log analysis. Returns the file path for programmatic access.

Instructions

Runs a search and streams ALL results (up to the 100,000 server cap) to an NDJSON file on disk, returning the file path — NOT the content. Use this for bulk analysis ("feed the logs to a coding agent") instead of large inline limits. Each line is one flattened log object (metadata + parsed _raw log.* fields). Lines are CHRONOLOGICAL (oldest→newest by _messagetime; the server appends "| sort by _messagetime asc" to non-aggregate queries — a PARTIAL result may not be fully ordered). Aggregate queries export their records instead (one JSON record per line, query order; maxMessages/extract do not apply). If more than 100k messages match, split the time range into multiple exports. Time range: exactly ONE of last (relative, e.g. "15m", "2h"; units s/m/h/d) OR both from and to (ISO-8601 like 2026-07-02T18:28:00, or epoch milliseconds).

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
toNoEnd time: ISO-8601 or epoch ms. Requires `from`.
fromNoStart time: ISO-8601 or epoch ms. Requires `to`.
lastNoRelative window ending now, e.g. "15m", "2h", "1d". Mutually exclusive with from/to.
queryYesSumo Logic query text.
extractNoOptional per-field JSON extraction: alias → path under _raw, e.g. {"status":"log.status","user":"log.context.user"}. Appends one `| json field=_raw "<path>" as <alias> nodrop` clause per entry (chained; never the broken comma multi-extract form). Aliases must be simple identifiers; non-aggregate queries only. Extracted aliases join the flattened field namespace (combine with `fields` or ndjson/export lines).
timeZoneNoIANA timezone for query-time parsing (default UTC).
maxMessagesNoStop after this many messages (default 100,000).
byReceiptTimeNoSearch by receipt time; recommended true for very recent windows (ingestion lag).
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description richly details behavior beyond the annotations: streaming to file, 100k cap, chronological ordering with caveats for partial results, aggregate query handling, and time range requirements. It also explains extraction mechanics and the interaction of maxMessages. This far exceeds the minimal behavioral disclosure from annotations (readOnlyHint=true).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single well-structured paragraph that front-loads the core purpose ('Runs a search and streams ALL results...') before diving into details. It is slightly lengthy but every sentence adds value, and the information density is appropriate for the tool's complexity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (8 parameters, nested objects, no output schema), the description covers all essential aspects: behavior, return value, ordering, aggregate vs. non-aggregate, extraction, time range options, cap, and receipt time. There are no obvious gaps; the description is sufficiently complete for an AI agent to use the tool correctly.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Although schema coverage is 100%, the description adds significant meaning: it clarifies that time range must be exactly one of `last` or both `from`/`to`, explains the extra `| sort by _messagetime asc` appended to non-aggregate queries, details the extraction alias format and chaining, and notes the default and cap for maxMessages. These insights go well beyond the schema descriptions.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's action: 'Runs a search and streams ALL results... to an NDJSON file on disk, returning the file path — NOT the content.' It uses a specific verb ('export') and resource ('results to a file'), and distinguishes from sibling tools by contrasting with 'large inline limits' and implying that other tools return content directly.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly says 'Use this for bulk analysis... instead of large inline limits,' providing a clear when-to-use scenario. It also advises splitting time ranges if more than 100k messages match, which is a good usage constraint. However, it does not name specific sibling alternatives, so the guidance is slightly less explicit than ideal.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mbe24/yokozuna-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server